Mint Mobile suffers possible data breach — what you need to do

1. Dwelling
2. News
3. Security

Mint Mobile suffers possible data breach — what y'all need to exercise

(Epitome credit: Tom'southward Guide)

Mint Mobile, a rather successful low-cost cellular carrier in the United states of america (and in which Deadpool actor Ryan Reynolds owns a pale), is apparently telling customers that it recently suffered a data breach.

"Between June 8, 2021 and June x, 2021, a very minor number of Mint Mobile subscribers' telephone numbers, including yours, were temporarily ported to another carrier without permission," reads an declared Mint Mobile notification message sent to affected users, according to a Reddit post Friday (June ix) that was unearthed by Bleeping Reckoner.

• What is Mint Mobile, and is information technology worth it?
• The best identity theft protection services
• Plus: OnePlus phones used to be my get-to recommendation — non any more than

The exposed data "may have included your name, address, telephone number, email address, password, bill amount, international call item data, telephone number, business relationship number, and subscription features," said the message.

The purported Mint Mobile message did non specify how the assailant(s) got access to the user accounts. Unauthorized number ports at other carriers are sometimes the consequence of tricking or bribing customer-support representatives, although one contempo series of ports cited by Bleeping Computer involved attackers getting into the carrier'southward internal computer system and porting numbers from the inside.

In the Reddit thread following the initial post, a poster claiming to be Mint Mobile co-founder and managing partner Rizwan Khan said that "just the subscribers who received this electronic mail were affected."

Tom's Guide has reached out to Mint Mobile for comment and confirmation, including how many users might have been affected, and we will update this story when we receive a respond.

Alter your Mint Mobile password now

Nosotros think all Mint Mobile users should change their account passwords ASAP, whether or not they received the message posted on Reddit.

If any Mint Mobile users had the same password for their Mint Mobile account every bit for other accounts, then those users should change the passwords on those accounts equally well, and apply one of the best password managers to create stiff, unique passwords and go along track of them all.

That's because if Mint Mobile users' full, unencrypted passwords were indeed exposed, as the apparent Mint Mobile message to afflicted customers implies, that's very serious and could lead to a cascading serial of compromises.

The Mint Mobile message already said that the attacker(s) had "ported" phone numbers to other carriers and, by implication, other handsets.

That could pb to many more online accounts existence taken over if those accounts send a verification text to the user's number when a password-reset request is made.

The assaulter will get that text instead of the legitimate user and can reset the password. At least three Reddit users said this happened to their Mint Mobile accounts in early June.

"Took me 6+ stressful hours to get control of all my account and change their passwords," said one of those users. "They were also close to stealing effectually 30k of my crypto from my Coinbase account but luckily I had physical 2FA for important accounts."

That same user said that Mint Mobile had provided a year of identity-theft-protection equally a result of the business relationship compromise.

Other accounts may also be in danger

However, if a Mint Mobile user has reused their Mint Mobile password for other accounts that are tied to the same e-mail address, then those accounts can probably be hijacked as well.

Once an attacker gains control of ii or three of a victim's online accounts, especially very sensitive ones such as Gmail, Facebook or Apple tree ID, information technology's often piece of cake to leverage that control to take over even more of the victim's accounts.

The one matter that can stop a chain of account takeovers dead in its tracks is to enable non-SMS-based ii-factor authentication (2FA) on every site that offers it.

That's the one affair Mint Mobile users on Reddit say they've been asking for, yet haven't received.

"If this [2FA] had been implemented when we asked for information technology ~2 years ago, this hack would non have happened," said one commenter on the original thread.

"Everyone on this sub has been request for 2FA for years and null has been done to implement ameliorate security," said some other.

Tom's Guide has asked Mint Mobile whether or not the service offers 2FA. However, as another Reddit poster pointed out, 2FA may not have helped in this example if the attacker(s) managed to go into Mint Mobile'south internal systems.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-booty commuter, lawmaking monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'southward Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upward in random TV news spots and even chastened a panel discussion at the CEDIA domicile-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/mint-mobile-data-breach

Posted by: hayesafrome.blogspot.com

Share this post